Email Injection in Flask with Hmac Signatures

Email Injection occurs when user-controlled input is improperly sanitized in email-related headers or message bodies, allowing an attacker to inject additional headers such as CC, BCC, or even new message content. In Flask applications that implement Hmac Signatures to validate the origin of requests or tokens, a common misconception is that the cryptographic integrity check alone prevents injection. However, if the application embeds user-supplied data (e.g., a display name, email address, or callback URL) into an email header or message without strict validation or encoding, and then signs that payload, the signature may still verify successfully while malicious header injection occurs.

Consider a Flask route that accepts a JSON payload containing an email and a name, constructs a message string, and signs it with an Hmac key before sending. If the developer concatenates the raw user input into the message or header without sanitization, an attacker can provide a name like Alice\r\nCC: [email protected]. The Hmac signature covers the entire message including the injected sequence, so verification passes. When the email is later rendered or forwarded by the mail server, the injected header is interpreted as a separate routing instruction. The presence of Hmac Signatures does not neutralize injection; it only ensures the payload has not been tampered with after signing. This pattern is especially risky in Flask apps that use libraries such as itsdangerous for signing tokens that are later embedded in email templates or links.

Real-world examples include abuse in password reset flows where an attacker controls the email field and appends additional headers via newline sequences, or in webhook notifications where a signed JSON body includes a user-controlled URL that is later placed into email headers. The OWASP API Top 10 category on Injection applies here, mapping to broken input validation rather than broken authentication. Tools like middleBrick can detect such risks by analyzing the unauthenticated attack surface, identifying endpoints that accept email-like parameters and inspecting whether user input is sanitized before inclusion in headers or message bodies.

Remediation focuses on strict input validation, safe encoding, and separation of signing from user-controlled content. Do not sign raw user input that will be placed in headers or message bodies. Instead, canonicalize and sanitize all external data before incorporating it into any structure that is signed or transmitted.

Example 1: Safe token-based email confirmation with Hmac

Use itsdangerous to sign a minimal payload that contains only a user ID and a timestamp, and keep user-supplied display names out of the signed payload. Render the name safely in the email body after validation.

from flask import Flask, request, jsonify, url_for
from itsdangerous import TimedJSONWebSignatureSerializer as Serializer
import re

app = Flask(__name__)
app.config['SECRET_KEY'] = 'super-secret-key-change-in-production'

def is_safe_email(value):
    # Basic RFC 5322 local-part and domain validation; adjust to your policy
    pattern = r'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$'
    return re.match(pattern, value) is not None

@app.route('/request_confirmation', methods=['POST'])
def request_confirmation():
    data = request.get_json()
    email = data.get('email', '').strip()
    name = data.get('name', '').strip()

    if not is_safe_email(email):
        return jsonify({'error': 'invalid email'}), 400
    if not name or re.search(r'[\r\n]', name):
        return jsonify({'error': 'invalid name'}), 400

    s = Serializer(app.config['SECRET_KEY'], expires_in=3600)
    token = s.dumps({'user_id': 123, 'email': email}).decode('utf-8')

    confirmation_url = url_for('confirm_email', token=token, _external=True)
    # Safe rendering: name is escaped by the email library/template engine
    message = f'Hello {name}, please confirm at {confirmation_url}'
    # send_email would use safe headers, e.g., email.message.EmailMessage
    return jsonify({'message': 'confirmation sent'})

Example 2: Signing and sending with proper header separation

If you must include dynamic content in email headers, ensure newline characters are stripped and the signing covers only safe, canonical fields. Use a dedicated email library that enforces header safety rather than building raw strings.

import hmac
import hashlib
from flask import Flask, request, jsonify
from email.message import EmailMessage

app = Flask(__name__)
SECRET_KEY = b'another-secret-change-me'

def build_and_sign(user_email, display_name):
    # Canonical payload excludes raw headers that may contain injection vectors
    payload = f'email={user_email}&name={display_name}'.encode()
    sig = hmac.new(SECRET_KEY, payload, hashlib.sha256).hexdigest()
    return sig

@app.route('/send_welcome', methods=['POST'])
def send_welcome():
    data = request.get_json()
    email = data.get('email', '').strip()
    name = data.get('name', '').strip()

    # Validate before using
    if '@' not in email or '\r' in name or '\n' in name:
        return jsonify({'error': 'invalid input'}), 400

    sig = build_and_sign(email, name)
    # Use a safe email library; do not manually concatenate headers
    msg = EmailMessage()
    msg['Subject'] = 'Welcome'
    msg['From'] = '[email protected]'
    msg['To'] = email
    msg.set_content(f'Hello {name}, welcome! signature={sig}')
    # send_message(msg)
    return jsonify({'status': 'queued', 'sig': sig})

In both examples, the Hmac signature does not protect against injection of new headers; it only ensures the integrity of the canonical payload. Input validation, safe encoding, and using high-level email APIs are required to prevent Email Injection.